From 866c0bd91a2d0e22e7b9335b5b5972d920107045 Mon Sep 17 00:00:00 2001 From: breakings Date: Thu, 14 Apr 2022 10:18:09 +0800 Subject: [PATCH] busybox: Fix snprintf arguments in lock (#9239) * busybox: fix busybox lock applet pidstr buffer overflow Kernel setting `/proc/sys/kernel/pid_max` can be set up to 4194304 (7 digits) which will cause buffer overflow in busbox lock patch, this often happens when running in a rootfs container environment. This commit enlarges `pidstr` to 12 bytes to ensure a sufficient buffer for pid number and an additional char '\n'. Signed-off-by: Qichao Zhang * busybox: Fix snprintf arguments in lock The first argument for snprintf is the buffer and the 2. one is the size. Fix the order. This broke the lock application. Fixes: 34567750db2c ("busybox: fix busybox lock applet pidstr buffer overflow") Reported-by: Hartmut Birr Signed-off-by: Hauke Mehrtens Co-authored-by: Qichao Zhang Co-authored-by: Hauke Mehrtens --- package/utils/busybox/patches/220-add_lock_util.patch | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package/utils/busybox/patches/220-add_lock_util.patch b/package/utils/busybox/patches/220-add_lock_util.patch index 4e46b74f0..579b705f3 100644 --- a/package/utils/busybox/patches/220-add_lock_util.patch +++ b/package/utils/busybox/patches/220-add_lock_util.patch @@ -72,9 +72,9 @@ + +static int do_lock(void) +{ -+ int pid; ++ pid_t pid; + int flags; -+ char pidstr[8]; ++ char pidstr[12]; + + if ((fd = open(file, O_RDWR | O_CREAT | O_EXCL, 0700)) < 0) { + if ((fd = open(file, O_RDWR)) < 0) { @@ -109,7 +109,7 @@ + if (!waitonly) { + lseek(fd, 0, SEEK_SET); + ftruncate(fd, 0); -+ sprintf(pidstr, "%d\n", pid); ++ snprintf(pidstr, sizeof(pidstr), "%d\n", pid); + write(fd, pidstr, strlen(pidstr)); + close(fd); + }